{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1016 - System Network Configuration Discovery",
    "\n",
    "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - System Network Configuration Discovery on Windows\nIdentify network configuration information\n\nUpon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nipconfig /all\nnetsh interface show interface\narp -a\nnbtstat -n\nnet config\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - List Windows Firewall Rules\nEnumerates Windows Firewall Rules using netsh.\n\nUpon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnetsh advfirewall firewall show rule name=all\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - System Network Configuration Discovery\nIdentify network configuration information.\n\nUpon successful execution, sh will spawn multiple commands and output will be via stdout.\n\n**Supported Platforms:** macos, linux\n#### Attack Commands: Run with `sh`\n```sh\nif [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)\nIdentify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\n\nUpon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - List Open Egress Ports\nThis is to test for what ports are open outbound.  The technique used was taken from the following blog:\nhttps://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/\n\nUpon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\\open-ports.txt.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: Test requires #{port_file} to exist\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"PathToAtomicsFolder\\T1016\\src\\top-128.txt\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1016\\src\\top-128.txt) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt\" -OutFile \"PathToAtomicsFolder\\T1016\\src\\top-128.txt\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n$ports = Get-content PathToAtomicsFolder\\T1016\\src\\top-128.txt\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n    $test = new-object system.Net.Sockets.TcpClient\n    $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n    $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n    $totalports++ | Out-Null\n    if ($test.Connected) {\n        $result = \"$port open\" \n        Write-Host -ForegroundColor Green $result\n        $result | Out-File -Encoding ASCII -append $file\n        $totalopen++ | Out-Null\n    }\n    else {\n        $result = \"$port closed\" \n        Write-Host -ForegroundColor Red $result\n        $totalclosed++ | Out-Null\n        $result | Out-File -Encoding ASCII -append $file\n    }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1016 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Decoy Content  \n Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. \n\n Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.\n#### Opportunity\nThere is an opportunity to influence an adversary to move toward systems you want them to engage with.\n#### Use Case\nA defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.\n#### Procedures\nCreate directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data.\nSeed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}